Talk:PHP CSRF Guard

Flaws and Updates

2012/12/08

Thanks very much.
---
Jakub
On 8 December 2012 00:54, Abbas Naderi <abbas.naderi@owasp.org> wrote:
Yes but then I assumed you don't have edit permissions on the wiki. I'll do this and mention you on the bottom and discussion page.
-Abbas
On ۱۸ آذر ۱۳۹۱, at ۳:۱۷, Jakub Kałużny <jakub.artur.kaluzny@gmail.com> wrote:
You probably meant changing wiki, sorry :)
On 8 December 2012 00:47, Jakub Kałużny <jakub.artur.kaluzny@gmail.com> wrote:
Hi,
just change
if (!isset($_POST['CSRFName']))
to
if (!isset($_POST['CSRFName']) || !isset($_POST['CSRFToken']))
this should work.
Jakub
On 8 December 2012 00:43, Abbas Naderi <abbas.naderi@owasp.org> wrote:
Hi Jakub,
You are right and we are aware of this. Would you like to fix it or I shall do so?
-Abbas
On ۱۸ آذر ۱۳۹۱, at ۳:۱۱, Jakub Kałużny <jakub.artur.kaluzny@gmail.com> wrote:
Hi Abbas,
I found a note about a bug in PHP CSRF Guard
(http://blog.kotowicz.net/2012/12/on-handling-your-pets-and-csrf.html)
The code was patched so that a NULL $token cannot be validated with
empty ("") CSRFToken parameter.
Isn't the code still vulnerable by passing a non existing CSRFName and
not passing CSRFToken ?
Only the CSRFName is checked - if(!isset($_POST['CSRFName']))
but later then there is $token=$_POST['CSRFToken'] which still can be
null if no CSRFToken parameter is passed.
Regards,
Jakub

2012/12/06

Hi Krzysztof,
Thanks for the tip.
Actually I did the code on the fly and never got to test it! And never had a chance to review it.
Thanks for fixing the flaw.
Would be a good idea to post this email on discussion page of the wiki so that people know the flow and update it.
Also add a version on top of the code.
Regards
-Abbas
On ۱۶ آذر ۱۳۹۱, at ۱۷:۴۴, Krzysztof Kotowicz <krzysztof.kotowicz@securing.pl> wrote:
Hi!
PHP CSRFGuard that you posted at OWASP wiki
https://www.owasp.org/index.php/PHP_CSRF_Guard is vulnerable to a simple
bypass method:
When you submit a non-existing form id as CSRFName and empty CSRFToken
csrf_validate_token() function will return true.
function csrfguard_validate_token($unique_form_name,$token_value)
{
$token=get_from_session($unique_form_name);
// non existing form name, $token = null;
if ($token===false)
{
return true;
}
elseif ($token==$token_value) // type insensitive comparison!!
{
// $token_value = "", $token = null, both are equivalent to == operator
$result=true;
}
else
{
$result=false;
}
unset_session($unique_form_name);
return $result;
}
I've been able to exploit it already on a live site for a client that
used PHP CSRFGuard. I've fixed the code on wiki by using === operator.
This is just to notify you of the change, if you use this project elsewhere.
--
Best regards,
Krzysztof Kotowicz
SecuRing